We know, there’s lots of privacy news, guidance and documentation to keep up with every day. And we also know, you’re busy doing all the things required of the modern privacy professional. Sure, we distill the latest news and relevant content down in the Daily Dashboard and our weekly regional digests, but sometimes that’s even too much. To help, we offer our top-five most-read stories of the week.

1. Privacy Tech: “Deidentification versus anonymity,” by Humu Chief Privacy Officer Lea Kissner
2. IAPP Web Conference: “Privacy Engineering Live — Is Encrypted Data Personal Under the GDPR?“
3. Privacy Perspectives: “A data processing addendum for the CCPA?” by Senior Vice President & General Counsel at IAB, IAB Tech Lab and Trustworthy Accountability Group Michael Hahn and Lowenstein Sandler’s Sundeep Kapur, CIPP/US, and Matt Savare
4. Privacy Tracker: “Comparing Maine and Nevada’s new privacy laws with the CCPA,” by Baker McKenzie’s Lothar Determann and Helena Engfeldt, CIPP/E, CIPP/US
5. Privacy Tech: “FPF, Israel Tech Policy Institute to launch Privacy Tech Alliance,” by Ryan Chiavetta, CIPP/US

Looking at Canada’s Personal Information Protection and Electronic Documents Act, the word “reasonable� pops up quite often. Companies have an obligation to ensure they always act in a way a reasonable person would consider appropriate in a given circumstance. 

Almaga Consulting President Gilles Fourchet, CIPP/C, CIPT, FIP, said one area where reasonableness should play a role for privacy professionals is conducting privacy impact assessments.

He compared performing a PIA to how encryption was viewed years ago. While encryption may not have been necessary two decades ago, it is now reasonable — and expected — for it to be a part of an organization’s practices. PIAs should be treated the same way.

“If you didn’t do a privacy impact assessment 10 or 15 years ago, you got a slap on the wrist,� Fourchet said during a session at the IAPP Canada Privacy Symposium in Toronto recently. “Nowadays, you get much more than a slap on the wrist.�

Organizations would be wise to have a PIA ready to go whenever it may be needed, he added; however, the contents of the PIA are likely going to differ from entity to entity.

If “reasonable� is one word Fourchet would attach to PIAs, the other would be “subjective.� He said in risk management, what is seen as a vulnerability or a threat to one person may be entirely different from another based on industry or the types of data an entity holds.

A financial institution, for example, has to consider what would happen in the event it suffered a data breach. In its PIA, it would need to assess what would occur if financial information were to be leaked, as well as the incident’s impact would be on their institutional reputation.

Fourchet said organizations may take a quantitative approach to their determination of risk scores, but they should be cautious. Regulators will want to see the rationale behind their risk scores, which ultimately will tie back to reasonableness, he said.

“You have to justify it. You have to justify  ‘I think the risk is medium.’ At the end of the day, you might have more question than answers, but unfortunately, there is no mathematical method for you to enter numbers to get risk volatility … It’s not math. It’s not science. It’s an assessment,â€� he said.

Fourchet recommends organizations be proactive with PIAs. It’s easier to have a PIA baked into a program than attempt to fit one into a preexisting process. He added it’s important for privacy professionals crafting the PIA to meet with business owners and stakeholders as they go through establishing the document.

“Make sure the business folks keep you guys in mind from the very moment they start to have an idea,� Fourchet said. “You have to be seen as people that are adding value. A lot of times the PIA arrives at the very end of the business process. If they include you at the very beginning it would be seamless and perfect.� 

By talking with all the principle parties within an organization, privacy professionals can get a better understanding of business processes and data flows. Those conversations can help avoid legal issues. 

It is important for privacy professionals to include business owners and senior management as part of the PIA process for accountability. Fourchet said privacy professionals are a messenger, and it’s up to business owners to ensure a PIA is carried out. Accountability cannot be transferred and if an investigation were to take place; it is ultimately the organization’s problem. 

“You should act as a consultant. You provide expert opinion when writing PIAs. It is not your job to do it. It is not for you to act upon your recommendations,â€� Fourchet said. “You can advocate for your recommendations, but that is it. You are responsible, but not accountable, for your PIA. At the end of the day, privacy is not the business of your organization. Privacy should be seen as an added value and an advantage.”

Photo by Anna Kobelak

Greetings from Dublin, where summer has arrived at last … though that may change in a nanosecond!

It’s a busy time for privacy pros in Ireland’s health care sector at the moment. They are working hard to not just comply with the EU General Data Protection Regulation, but also to roll out a new framework when processing data for health research.

The Irish government’s Health Research Regulations 2018 apply in addition to the GDPR and the Data Protection Act 2018, so organizations are now creating processes to ensure that they comply with all regimes, in addition to any other regulations relating to health research and clinical trials (including the Clinical Trials Regulation — EU Regulation 536/2014 — due to commence in 2020).

In summary, the Health Research Regulations set out “suitable and specific measures� to be implemented when processing personal data for health research. These measures include a requirement that personal data is not processed in such a way that causes damage or distress to data subjects. Governance structures must be in place, including processes for ethical approval; compliance with the GDPR; and specification of the controller, funders and those with whom the personal data will be shared (even where the data is anonymized or pseudonymized). There is also a requirement to provide data protection training to researchers.

Furthermore, specific processes must be in place for the management and conduct of health research, including DPIAs, data minimization, access controls, and security measures and compliance with the GDPR. An important issue is the requirement to obtain the explicit consent of data subjects. While consent is just one of the lawful bases under which health data can be processed under Articles 6 and 9 of the GDPR, under the Health Research Regulations in Ireland, organizations must obtain the explicit consent of data subjects to process their personal data for the purposes of health research, even where another lawful basis under Articles 6 and 9 of the GDPR exists.

There is an exemption to the requirement to obtain explicit consent under the regulations where organizations apply for a “consent declaration.� This involves the government’s Consent Declaration Committee assessing the proposed research and finding that explicit consent is not required because the public interest in carrying out the research outweighs the public interest in requiring explicit consent. Utilizing this exemption may prove to be an arduous task, however, due to the extent of the information to be provided with the application and the conditions to be fulfilled in advance of the application. There is also a transition period allowed for research that commenced before 8 Aug. 2018, when organizations must obtain the explicit consent of the data subjects before 7 Aug. 2019 or seek a consent declaration.

The regulations go over and above the GDPR and may result in delays to research projects, certainly at the beginning stages while organizations implement the necessary processes and await consent declarations from the Consent Declaration Committee. At this point, most organizations engaged in health research in Ireland should have assessed their ongoing health research projects and determined whether appropriate levels of consent have been obtained or whether they must make an application for an exemption before the August deadline. DPOs must make sure that they are included in the process also. There’s never a dull moment for privacy pros!

Speaking at the Gartner Security and Risk Management Summit, former Secretary of the U.S. Department of Homeland Security Michael Chertoff said that data regulation in the U.S. may mirror the EU General Data Protection Regulation in the way of giving users more control of their data. “The focus has to change from ‘hide the data,’ which [isn’t] going to work, to ‘controlling the data,'” Chertoff said of the overall scope for any proposed regulation. He added that tech companies “are starting to acknowledge there should be some regulation about how data is used.” Chertoff also called for a closer look at tech companies bargaining free online services in exchange for user data while proposing that companies should seek to add layers to their cybersecurity systems.
Full Story 

The digital advertising industry is undergoing a rapid regulatory transformation. The EU General Data Protection Regulation went into effect more than a year ago, and the California Consumer Privacy Act is right around the corner. Other jurisdictions are likely to follow. Industry lawyers created legal frameworks to comply with the GDPR but now need to determine what changes are needed to comply with the CCPA and, potentially, future privacy laws in other states. One important part of that assessment is the data processing addendum. In this post for Privacy Perspectives, the Interactive Advertising Bureau’s Michael Hahn, along with Lowenstein Sandler’s Sundeep Kapur, CIPP/US, and Matt Savare, explore whether companies need to amend their existing data processing addenda to comply with the CCPA and if there is a long-term solution to avoid having to draft new addenda every time a jurisdiction adopts a new privacy law. 
Full Story

The digital advertising industry is undergoing a rapid regulatory transformation. The EU General Data Protection Regulation went into effect more than a year ago, and the California Consumer Privacy Act is right around the corner with a Jan. 1, 2020, effective date. Other jurisdictions are likely to follow. Industry lawyers created legal frameworks to comply with the GDPR but now need to determine what changes are needed to comply with the CCPA and, potentially, future privacy laws in other states.

One important part of that assessment is the data processing addendum. 

Emergence of the data processing addendum

Just two years ago, the concept of a data processing addendum did not even exist for many companies. Now, the data processing addendum is engrained in the lexicon of every privacy practitioner throughout the world and forms the contractual foundation upon which data is processed by one party on behalf of another. While companies continue to enter into these addenda for GDPR purposes, there is a growing buzz among industry lawyers about whether a data processing addendum is required or advisable in order to comply with the CCPA. Common questions being posed include:

• Do companies need to amend their existing data processing addenda in order to comply with the CCPA?
• Is there a long-term solution to avoid having to draft new data processing addenda every time a jurisdiction adopts a new privacy law?

GDPR data processing addenda

Article 28 of the GDPR generally requires a written contract between a “controller� and “processor� to govern the processing of personal data (in certain limited instances, a processor may be able to satisfy Article 28 through another “legal act� that is binding upon such processor, but this is not relevant for our discussion here).  

At a high level, the “controller� determines what personal data will be processed and for what purposes (i.e., “the purposes and means of processing�), and the “processor� carries out such processing based on the controller’s instructions. Their contract must contain certain provisions enumerated within Article 28, including that the processor will (1) comply with the GDPR; and (2) assist with the controller’s GDPR compliance. These provisions include promises to process personal data only on the documented instructions of the controller, provide “adequate security,� assist with data subject rights, and give appropriate breach notification, among others. Further, the contract must require the processor to flow down all such obligations to its subprocessors in similar data processing addenda.

These GDPR requirements started a flurry of activity, whereby controllers and processors entered into data processing addenda as riders to their master services agreement (or similar agreement) in order to comply with Article 28.

A CCPA data processing addendum and beyond?

Under the CCPA, compliance obligations attach to three different types of entities: (1) a “business;� (2) a “service provider;� and (3) a “third party.�  Each is a defined term under the CCPA.

Taking a cue from the GDPR, the CCPA defines a “businessâ€� as a for-profit entity that determines the “purposes and means of the processing of … personal information.â€�

A “service providerâ€� is a for-profit entity that processes this personal information “on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract ….â€� This written contract must prohibit the service provider from “retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business.â€�

Finally, a “third party� is defined in the negative. It is any entity that is not (1) a business that “collects� personal information from a consumer; or (2) a service provider with the contractual restrictions described above and in this paragraph (or any other “person� with the same such contractual restrictions). Interestingly, the “third party� definition adds prohibitions that must be included within the written contract between the business and the service provider or another person in order to not be considered a third party (although it is unclear why). 

Specifically, such written contracts must also prohibit the service provider or another person from (i) “selling� the personal information (a “sale� is a defined term under the CCPA); and (ii) retaining, using or disclosing the personal information outside of the direct business relationship with the business or for any other purpose than what is specified in the contract. It must also contain a “certification� by the service provider or another person that it understands all its contractual restrictions and will comply with them.

To sum this up: A business determines the purposes and means of processing; a service provider processes personal information on behalf of a business; and the business and service provider must have a written contract containing certain provisions. Sounds quite similar to the GDPR! However, there are two key differences:

1. It is unclear whether an entity must be provided personal information from a business in order to be considered a “service provider.� Under the GDPR, processors oftentimes collect personal information directly from customers pursuant to a controller’s orders. Under a literal reading of the CCPA, a service provider must receive personal information from a business in order to be considered as such. If that is the case — which we hope the California attorney general will clarify — then it will be more difficult for certain entities, such as analytics providers that collect information directly from a website visitor, to be considered service providers. Instead, they may be considered businesses or third parties. 
2. The CCPA’s written contract requires much less than Article 28 of the GDPR. While Article 28 of the GDPR has a list of provisions that must be included in the contract, the CCPA only prohibits a service provider from using personal information for any purpose outside of the services rendered to the business. There is no requirement, for example, for service providers to flow down their prohibitions to other service providers; however, practically speaking, this may be necessary so that service providers can better comply with their contracts with businesses (i.e., only disclose personal information to provide the services).

With the deadline fast approaching and no guidance yet from the California attorney general on these issues, businesses and service providers are well advised to make specific amendments to their existing data processing addenda (or draft a separate one) to account for the CCPA’s various idiosyncrasies, such as to ensure that the service provider is not also accidentally considered a “third party.� If a business discloses personal information to a “third party,� the business has additional obligations (e.g., to disclose the categories of third parties in its privacy policy and provide explicit notice before a third party sells to others). 

In light of the current regulatory uncertainty and the specific requirements contained in the CCPA, relying on vague “compliance with applicable laws� representations is insufficient and imprudent.

Such amendments to existing or new data processing addenda should state which entity is the “service provider� under the CCPA and that such service provider:

• Receives the personal information from the business pursuant to a “business purpose,â€� although it is unclear whether you need to state the specific business purpose.
• Will not “sellâ€� the personal information (as the term “sellâ€� is defined under the CCPA).
• Will retain, use or disclose such personal information only for the specific purpose of performing the services and within the direct business relationship with the business.
• “Certifiesâ€� that it understands its contractual restrictions and shall comply with them.

In addition, the document should address such contentious issues as indemnification, limitation of liability, and what happens in the event of a change in law.

In order to assist companies within the digital advertising ecosystem to comply with the GDPR and the CCPA (and similar state laws in the future), the Interactive Advertising Bureau and the American Association of Advertising Agencies are teaming up with stakeholders from across the ecosystem to draft a model data processing addendum to which parties can voluntarily choose to adhere. This working group will stay active so that the model can evolve as additional jurisdictions adopt new privacy laws or change existing laws. The working group plans to release the model data processing addendum in the third or fourth quarter of this year.

Photo by Jordi Vich Navarro on Unsplash

The Wall Street Journal reports on the financial benefits tech companies have seen in the first year of the EU General Data Protection Regulation. Marketers have spent more advertising dollars with larger tech companies in the GDPR-era as advertisers believe the bigger entities are more likely to remain compliant with the European rules. Established tech platforms also have a direct relationship with consumers, which makes it easier to obtain user consent from a large group of patrons. “[The] GDPR has tended to hand power to the big platforms because they have the ability to collect and process the data,� said WPP CEO Mark Read, who added the rules have “entrenched the interests of the incumbent, and made it harder for smaller ad-tech companies, who ironically tend to be European.� (Registration may be required to access this story.)
Full Story

Privacy engineering is the evolving practice of incorporating data privacy into product and service development and building data governance controls into systems that process personal information. In response to this emerging trend, the IAPP has created a new web conference series to highlight workable solutions and innovative people and ideas. Join the IAPP July 9 for the second installment of Privacy Engineering Live in which Fieldfisher Privacy and Security Information Partner Phil Lee, CIPP/E, CIPM, FIP, Enterprivacy Consulting Group Principal Consultant R. Jason Cronk, CIPP/US, CIPM, CIPT, FIP, and VeraSafe Privacy Counsel Josh Gresham, CIPP/E, discuss a question privacy professionals agree to disagree on: Is encrypted data considered personal under the EU General Data Protection Regulation? Submit any questions and comments ahead of the program to [email protected].
Full Story

In this week’s Privacy Tracker global legislative roundup, take a look at a new IAPP white paper that helps privacy professionals as they work to operationalize their California Consumer Privacy Act compliance programs. A piece for The Privacy Advisor looks at the potential future of the ePrivacy Regulation as Finland is set to start its six-month EU presidency. The Office of the Privacy Commissioner of Canada announced it has revised the framework for its transborder data flow consultation, and the Spanish Data Protection Agency, the AEPD, fined soccer league La Liga 250,000 euros for alleged violations of the EU General Data Protection Regulation.

LATEST NEWS

The European Union Aviation Safety Agency published a new set of rules on the use of drones.
More

Open Rights Group found the U.K.’s Age-Verification Certificate Standard for pornographic content does not properly meet the necessary standards for cybersecurity and data protection.
More

The New York Times released a profile on Timothy Carpenter, the man at the center of the landmark Carpenter v. United States privacy case.
More

The 9th U.S. Circuit Court of Appeals in San Francisco reinstated a class-action lawsuit against Facebook for its alleged use of an auto-dialing system to send robocalls.
More

The Denton Record-Chronicle reports on the opposition to a proposed privacy bill in Texas.
More

The Washington Post reports on the struggles to enforce the Children’s Online Privacy Protection Act and the impact it has had on the online ecosystem.
More

ICYMI

In this piece for Privacy Tracker, Mattos Filho Privacy, Data Protection and Technology Associate Alan Thomaz, CIPP/E, CIPM, FIP, and Data Protection and Tech Regulation Law Professor and Lawyer Thiago Luís Sombra, CIPP/E, write about the provision approved by Brazil‘s Congress that allows for the creation of a data protection authority for the country and amends the LGPD.
More

In this piece for The Privacy Advisor, David Thomas reports on the potential future for the ePrivacy Regulation as Finland is set to start its six-month EU presidency.
More

At the U.S. Senate Committee on Banking, Housing and Urban Affairs hearing, lawmakers sought answers on how the data broker industry operates, has evolved over time and technological progress, and what Congress should do about it. IAPP Editor Angelique Carson, CIPP/US, was at the hearing and has the details in this piece for The Privacy Advisor.
More

In this IAPP white paper, Baker McKenzie Partner Lothar Determann and IAPP Westin Fellow Mitchell Noordyke, CIPP/E, CIPP/US, CIPM, outline how businesses must develop a perspective on the definition of “account” as they work to operationalize their California Consumer Privacy Act compliance programs with respect to data access requests.
More

Steve Wright of Privacy Culture has published a white paper, housed in the IAPP Resource Center, that offers an overview of the GDPR Maturity Framework that aids a DPO, as well as the organization they represent.
More

CANADA

The Office of the Privacy Commissioner of Canada has announced a revision to the framework of its consultation on transfers for processing and transborder data flows.
More

An August 2018 federal directive states Canadian surveillance agencies can collect and share citizens’ data as part of legitimate investigations.
More

EUROPE

The Austrian Supreme Court has ruled Facebook is not permitted to take further action to block a model suit regarding its fundamental privacy issues.
More

Spain‘s Data Protection Agency, the AEPD, has fined soccer league La Liga 250,000 euros for alleged violations of the EU General Data Protection Regulation.
More

The European Data Protection Board published updated versions of its “Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the General Data Protection Regulation� and “Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation.�
More

US

California Senate Democrats voted to ban the use of facial-recognition technology in body cameras used by law enforcement.
More

The issue of whether police can compel someone to provide their passcode or biometric data to unlock their phone has been raised in Florida.
More

Gov. Larry Hogan, R-Md., signed a bill to amend Maryland‘s data breach notification rules.
More

Foley Hoag Security, Privacy and the Law Blog takes a look at key provisions within the New York Privacy Act.
More

A bill banning the use of facial-recognition technology in New York schools for a year has advanced to the state Assembly’s Standing Committee on Ways and Means.
More

The Vermont Supreme Court has ruled that a patient can pursue legal action against a hospital and one of its employees for privacy violations.
More

A lawsuit seeking class-action status in Washington state is alleging that the nonconsensual collection of children’s voice recordings by Amazon’s Alexa violates laws in at least eight states.
More

The Financial Times reports work on a federal U.S. privacy law has slowed down on Capitol Hill as lawmakers continue to have partisan disagreements over the potential rules.
More

Bloomberg Businessweek reports efforts to create U.S. privacy legislation, at a state and federal level, are not progressing as quickly as lawmakers had hoped.
More

A coalition of state attorneys general has asked the U.S. Federal Trade Commission for stricter reporting requirements for tech acquisitions and new rules for data brokers.
More

Sen. Amy Klobuchar, D-Minn., introduced the Protecting Personal Health Data Act, which would create protections for genetic, biometric and personal health data.
More 

A coalition of public interest groups alleges the four major wireless providers in the U.S. violated privacy laws by sharing consumers’ location data without consent.
More

Happy Flag Day from Portsmouth, New Hampshire!

We’ve spent a lot of time in recent months discussing state and federal privacy law in this country … and with good reason! There’s a lot going on and a ton to keep up with, but I want to focus today on a few developments this week involving transborder data flows. As a side note, it’s hard to believe it was less than three years ago that we were collectively focused on the fate of the EU-U.S. Privacy Shield agreement. Post-Obama presidency, the GDPR and CCPA, it seems like a distant memory. 

Earlier today, the Federal Trade Commission today announced it is taking action against several companies that falsely claimed compliance with Shield and other international privacy agreements. Specifically, it reached a settlement with a background-screening company over false claims and sent warning letters to 13 other companies for allegedly making similar false claims. 

Shield, along with standard contractual clauses, will also go on trial in the EU this July. Just in time for our Fourth of July celebrations here in the States, the General Court of the European Union (an arm of the Court of Justice of the EU) will hear a case against Shield. Three French-based organizations brought the case, which runs on similar logic to the so-called “Shrems I” case that eventually brought down the EU-U.S. Safe Harbor framework. The new complaint alleges the U.S. government is still permitted to conduct mass surveillance on EU citizens, though, according to a Hogan Lovells blog post, the organizations agree that the Shield is “a less vague scheme, and, implicitly, that it is more protective than Safe Harbor was …” The other case involves SCCs. The now-famous “Schrems II” case, which was referred to the CJEU by the Irish High Court, includes 11 questions about SCCs and whether they offer an adequate level of protection for data transferred to the U.S. from the EU. Huge consequences here in both cases. 

On more positive transborder data flow news, the IAPP’s Joe Duball recently caught up with a representative from the U.S. Department of Commerce’s International Trade Administration to discuss the naming of a new accountability agent in the Asia-Pacific Economic Cooperation’s Cross-Border Privacy Rules program. As the second U.S.-based agent, Schellman now joins TrustArc subsidiary TRUSTe. Schellman Principal Debbie Zaller, CIPP/US, told Joe that “It fits right in with our other services.” She added that “it creates a lot of opportunity for all.” Along with TrustArc, including more accountability agents may help get “the word out in the world about APEC and what the certification can do for organizations.” This may well be a positive step for getting more CBPR adoption. 

We know, there’s lots of privacy news, guidance and documentation to keep up with every day. And we also know, you’re busy doing all the things required of the modern privacy professional. Sure, we distill the latest news and relevant content down in the Daily Dashboard and our weekly regional digests, but sometimes that’s even too much. To help, we offer our top-five most-read stories of the week.

1. IAPP web conference: “Operationalize Data Privacy: How to Leverage Automation, Artificial Intelligence and Machine Learning to Manage Privacy Across Thousands of Resources“ 
2. The Daily Dashboard: “Maine gov. signs new privacy bill into law“
3. The Daily Dashboard: “EDPB publishes updated GDPR guidelines“
4. IAPP Resource Center: “White Paper — CCPA Compliance Operation: Delivering Data Access via Accounts,” by Lothar Determann, partner Baker McKenzie, and Mitchell Noordyke, CIPP/E, CIPP/US, CIPM, IAPP Westin Fellow
5. Privacy Tech: “A push for meaningful corporate data research ethics reviews is underway,” by Kate Kaye, Redtail Media

Photo by Franck V. on Unsplash

Every year around this time, we collectively decide to open the windows, brush off the dust, and kick the spring season off on a clean foot. But as you are checking off your cleaning to-dos, be sure to add your social media profiles to that list. It’s obvious that social media profiles hold sensitive personal data but letting that information and unknown followers pile up can put your company, customers and employees at risk.

We live in a world where data privacy is top of mind, and in fact, this spring season marks the one-year anniversary of GDPR. Since the law went into effect, we have seen numerous cases of high profile data breaches making headlines. Now more than ever, businesses have an obligation to not only comply with data privacy laws but go above and beyond to secure proprietary, sensitive, and consumer data.

So, what can you do to protect your business, customers, and employees from data breaches and information leakage? Here are three tips for cleaning and securing your online data this spring.

#1: Clean what’s yours

You wouldn’t just clean your bedroom and leave the bathroom a mess, would you? Of course not. So, when managing your data, you first need to understand what online assets you own. Whether corporate or personal, start by taking stock of your owned social media accounts, domains, e-commerce sites, and any other digital channels where you or your company has a presence. Not only should you identify what accounts you own, but it’s necessary to review the privacy settings on those accounts. What are you sharing? Who can see your posts? Your locations? Your contact information?

One of the most overlooked ways of protecting your owned accounts is through strong passwords. You should have a unique password for each of your social media accounts, and for all accounts for that matter. The passwords should have a variety of cases, letters and symbols, and be hard to decipher. Be sure to avoid names, soccer players, musicians and fictional characters – according to the U.K. government’s National Cyber Security Center, these are some of the worst, most hackable passwords.

#2: Clean on behalf of your customers

For corporate channels, keeping owned accounts secure protects your brand’s reputation against impersonators, offensive content and spam. What’s more, it also protects your followers – which includes customers – from being exposed to that malicious content. As customers are more frequently using social media channels to engage with brands before making a purchase or obtaining a service, companies must prioritize retaining trust and loyalty among their customers.

To do so, your organization needs to, let’s say, “polish the windows” and be fully transparent with how the company will use their personal data. And with more state laws replicating the precedent set by GDPR, this visibility will not only be a best practice, but a law.

In addition, you should invest in the identification and remediation of targeted attacks and scams on your customers. This will not only help you gain their trust, but also provide them with ample protection. Finding and removing customer scams – i.e. malware links to social accounts impersonating your customer support team – will keep you and your valued customers safe online.

#3: Empower your employees to clean

Easy-to-use tools like Amplify by Hootsuite have turned employees into companies’ greatest brand ambassadors, particularly on social media. This type of promotion is invaluable to marketing teams, but whether on corporate or personal channels, employee use of social media must be addressed by security and marketing teams alike.

This spring, empower your employees to own their own social media cleanliness. By establishing and providing comprehensive education and training programs for your employees empowers them to learn the latest when it comes to corporate online policies and also social media security best practices. Traditionally, we find that companies have invested in trainings focused on email or insider threat risks but have neglected social and digital channels.

Don’t wait until next spring to clean again

Although it is best to incorporate social media security best practices into our everyday, this spring season make it a point to do a deep dive into your personal and professional social media profiles. Your brand, employees and customers will thank you, and your profiles will have a fresh glow after a long winter.

About the author: David Stuart is a senior director at ZeroFOX with over 12 years of security experiences.

Copyright 2010 Respective Author at Infosec Island

Many companies use artificial intelligence (AI) solutions to combat cyber-attacks. But, how effective are these solutions in this day and age? As of 2019, AI isn’t the magic solution that will remove all cyber threats—as many believe it to be.

Companies working to implement AI algorithms to automate threat detection are on the right track; however, it’s important to also understand that AI and automation are two entirely separate things.

Automation is a rule-based concept. You may have heard it referred to as machine learning. AI, on the other hand, involves software that is trained to learn and adapt based on the data it receives. The fact that software is capable of adapting to changes, especially in a rapidly evolving cyber threat landscape, is very promising. It’s also important to note that AI is still at a very immature stage of its development.

The promise of AI bringing cognition to the realm of software has been exciting tech enthusiasts for years. The fact remains however that it is still software. And we should all know by now that software (particularly web-based software) is vulnerable.

As AI does mature over the next few years, we can expect to see a great deal of AI-enabled automation solutions. This is especially true with regard to day-to-day routine provision tasks and particularly around SOC operations.

We must not forget that AI technologies are also a double-edged sword as not only defenders have access to such capabilities. Attackers who also possess such skills can tip the balance. Thus, with the commoditization of AI, we can expect to see more incidents like the infamous Google speech recognition API that was used to bypass Google’s own reCaptcha mechanism.

Examples such as this lead us to remember that software is only as good as the developers who designed and wrote it. After all, data science is bound by the data that is fed to the algorithms. For critical applications such as those used for medical, law enforcement, and border control purposes, we need to be aware of such pitfalls and actively filter human bias from these systems.

As IT leaders and CIOs build out their AI strategies, software security is a key consideration. Software security is always an important part of any product, whether it is in the development stage or in production, or whether it’s purchased from a vendor—AI is no exception.

When considering the possible applications (health, automotive, robotics, etc.) of AI, the importance of software security for the development of AI applications is at a really high level. It should be of high concern throughout the application’s lifecycle. And with all products brought in from third parties, security must be thoroughly vetted before being implemented.

Imagine if someone were able to take control of your AI device or software and feed it false answers. Or, picture this: an attacker who is able to control the input information that your AI needs to process—the input information that the AI will act on. For example, an attacker who is able to control the sensorics input of the surroundings of a car. Giving wrong information as input would lead to wrong decisions, which can potentially endanger lives. For this reason, the development and usage of AI must be absolutely secure.

Technologies such as interactive application security testing (IAST) allow software developers (including those developing web-based AI applications) to perform security testing during functional testing. IAST solutions help organizations to identify and manage security risks associated with vulnerabilities discovered in running web applications using dynamic testing methods. Through software instrumentation, IAST monitors applications to detect vulnerabilities. This technology is highly compatible with the future of AI.

As with all technology, the question comes down to how we apply it in practice. It’s a positive attribute that the industry is concerned about how AI can impact our lives. This should push developers and security teams to be more cautious and to find and implement mechanisms that will help us to avoid catastrophes relating to AI’s decisions and actions. In the end, AI will help us to improve our lives. We, in turn, must ensure that the software doing so is secure.

About the author: Boris Cipot is a senior security engineer at Synopsys. He helps companies of all shapes and sizes to create secure software. Boris joined Synopsys when Black Duck Software was acquired in 2017. He specializes in open source software security, robotics, and artificial intelligence.

Copyright 2010 Respective Author at Infosec Island

The implementation of the EU General Data Protection Regulation has come with a trickle-down effect on all parties involved. However, data protection officers endured more change and increased responsibilities than anyone, as their work was moved into the spotlight. Steve Wright of Privacy Culture has published a white paper, housed in the IAPP Resource Center, that offers an overview of the GDPR Maturity Framework that aids a DPO, as well as the organization they represent.
Full Story